The EU General Data Protection Regulation: Toward a Property Regime for Protecting Data Privacy
The European Union recently released draft legislation that has the potential to transform EU data privacy law. The draft General Data Protection Regulation (“draft Regulation”) proposes a range of new individual rights designed to protect consumers whose personal information is collected, processed, and stored by corporations and other entities.1Most notably, the draft Regulation would establish a consumer’s “right to be forgotten,”2 mandating that entities that collect or process data—which, for ease, I will call “data users”3—must delete any data relating to an individual “data subject”4 upon his request. Furthermore, any third parties with whom this information has been shared would also generally be required to respect the data subject’s request for deletion.5
The draft Regulation, which was approved by the European Commission in January 2012, is unlikely to be finalized and enter into force for at least another several months.6 But the legislation has already proven highly controversial for its potential applicability to any corporation that processes the personal data of EU citizens (including U.S. corporations),7 for its potential effects on free speech rights8 and criminal investigations,9 for its alleged technological infeasibility,10 and for the possibility that it may impede bilateral policymaking efforts between the United States and the European Union.11
A yet unexplored dimension of the draft Regulation, however, is its relationship to broader questions about what rights-and-remedies scheme is most appropriate for protecting consumer privacy in data collection. Though the Regulation is framed in the fundamental-human-rights terms typical of European privacy law, this Comment argues that it can also be conceived of in property-rights terms. The Regulation takes the unprecedented step of, in effect, creating a property regime in personal data, under which the property entitlement belongs to the data subject and is partially alienable. More specifically, the data protection plan takes for granted that personal data has become akin to a commodity capable of changing hands; working off of this reality, it allows for the highly regulated exchange of data while also adapting rights and remedies commonly associated with property in service of the goal of protecting consumer privacy. The Regulation’s use of property-derived rights is particularly unusual and significant since a human-rights-based approach to privacy—which the EU generally embraces—is often thought of as incompatible with a property-rights-based approach.12
The EU’s proposal includes three elements in particular that lend themselves to a property-based conception: consumers are granted clear entitlements to their own data; the data, even after it is transferred, carries a burden that “runs with” it and binds third parties; and consumers are protected through remedies grounded in “property rules.” In these respects, the proposed scheme is remarkably similar to existing, heretofore purely theoretical, proposals for property regimes for protecting personal data, especially the model proposed by Paul Schwartz in 2004.13 But the draft Regulation seems to be one of the first legislative proposals that would actually implement this kind of propertized personal data regime.
This Comment proceeds in two Parts. Part I outlines some theoretical proposals for propertized personal information designed to remedy the shortcomings of contemporary data protection law, exploring the features of “property” that scholars have seized on in presenting these proposals. Part II argues that these property-oriented safeguards are present in the draft Regulation, even though the Regulation is not at all framed in property terms. The Conclusion briefly explores the implications of this analysis for the broader question of whether propertizing personal data can be reconciled with treating privacy as a human right, pointing out that the draft Regulation seems to transcend this debate by adapting the rights and remedies commonly associated with property in service of a human-rights-driven approach to privacy.
I. data privacy and property
Both the United States and the European Union provide some privacy protections for consumers during data collection, but neither has established a property scheme to this effect. Neither U.S. law nor EU law considers data subjects to have proprietary interests in their own personal information.14 Both instead provide consumers with some limited options to sue for damages when their privacy is compromised in the course of data processing. These “liability rule”15 protections are based in the common law of tort or contract (in the United States),16 subject-specific statutes (also in the United States),17 or omnibus privacy legislation (in Europe).18
But despite the fact that data privacy is still protected through liability rules, the corporations that process personal data increasingly treat it as a commodity. Corporations collect this information from consumers (often as a quid pro quo during the sale of goods or services), compile it, and often sell these collections to other corporations.19 Even U.S. courts have occasionally recognized data as a kind of property, but only after it has been collected by a corporation.20
In reaction to this trend, scholars, especially in the early 2000s, began exploring alternative data privacy protection schemes derived from property law and theory. Lawrence Lessig is one of the best-known proponents of creating a free market in personal data. Under Lessig’s proposal, consumers would hold the original property entitlements to their own personal information and would be able to bargain with data users to determine when it would be advantageous to forfeit their privacy by selling their data.21 Critics of this proposal highlight the dangers of allowing consumers to freely sell their private information, pointing especially to the potential information disparities in a personal data market. Under an unregulated market system, consumers could be convinced to sell their information without completely understanding the full scope of how corporations might use it, or the degree to which their privacy would be compromised by the transaction.22
In response to these concerns, scholars including Paul Schwartz, Edward Janger, and Vera Bergelson have proposed highly regulated property regimes that would carry some property-oriented rights and remedies but not others. Schwartz’s proposal is the best known—indeed, it was recently endorsed by Timothy D. Sparapani, the former Public Policy Director of Facebook23—and will be the primary focus of this Comment.
“Property” is a notoriously nebulous concept, and Schwartz (as well as other theorists of data property) has declined to adopt a cohesive definition, understanding “property as a bundle of interests rather than despotic dominion over a thing.”24 Proponents of a regulated data property regime all focus on the ways that personal information is already treated as a commodity by corporations and argue that protecting such data with a legally cognizable property entitlement, vested in data subjects and regulated in various ways, provides necessary protections that are absent in the status quo.25 Rather than arguing that the free market can do all the work of protecting privacy, as Lessig does, they instead seize on some of the other rights and remedies commonly associated with property regimes and explore how conceiving of data as property for certain purposes might in fact offer the best option for protecting consumer privacy while still enabling individuals to share their data with data users under certain circumstances. For example, Schwartz especially seizes on one of the features commonly associated with property regimes: under some property schemes, “the burden of a property right ‘runs with the asset’” in question.26 This feature allows for property rights to create burdens that bind third parties—third parties with whom I have no explicit legal relationship nonetheless have a duty to respect my property rights in an asset—in contrast to contract rights, which bind only the specific parties in privity.27 This is particularly important in the context of data privacy, because it allows a data subject to retain some rights in her data, even in transactions between data users to which the subject is not a party.
Schwartz uses this definition to argue that crafting a regime in which consumers have legally enforceable property interests in their data would “enable[] certain interests to be ‘built in’” to personal data.28 Such a regime would “allow[] individuals to share, as well as to place limitations on, the future use of their personal information” and is property-like in that data subjects’ interests “follow the personal information through downstream transfers and thus limit the potential third-party interest in it.”29 Schwartz’s model, in this respect, is predicated on the assumption that free alienability is not “an inexorable aspect of information-property.”30 Indeed, Schwartz argues that a propertized data scheme, even while treating data as a commodity for certain purposes, should place limits on a consumer’s right to fully sell her personal information on an open market.31
In practicable terms, Schwartz advocates for several requirements in a hypothetical propertized personal data scheme, two of which are most clearly tied to the unique benefits of propertization.32 First, such a scheme would clearly vest the original entitlement to personal information with the data subject. Schwartz frames this requirement as a default rule requiring consumers to “opt in” to any use of their information.33 Even after opting in, consumers would always maintain a “right of exit” from existing agreements to data processing, to “prevent[] initial bad bargains from having long-term consequences.”34 In this respect, an individual would only ever partially (and temporarily) forfeit her right to exclude others from the data, similar to a licensing scheme.35 Second, such a scheme would also give consumers rights enforceable against third parties and the burden of these rights would run with their data. Further transfers of the data would be subject to “use-transfer” restrictions: consumers could agree to initial use of their data by a private entity, but “block further transfer or use” by other entities who might gain access to the data through downstream transactions.36
Other advocates of propertizing data, including Janger and Bergelson, devote significant attention to a third feature common to property regimes: remedy. As discussed above, under current law, data privacy is generally only protected by liability rules. A defendant may be ordered to pay damages, but remedies commonly used to protect property interests, such as injunctions or punitive damages,37 are generally not available. As Janger notes, under a data property regime, a data subject’s rights would be protected by property rules, rather than liability rules. A data user may not simply “choose to violate” a data subject’s interest in her own personal information and pay appropriate damages; rather, “[p]ropertization changes the order of this interaction. Either through criminal sanction, affirmative judicial order, or prohibitively high (and/or punitive) fines, a property rule makes a non-consensual taking infeasible.”38
The next Part demonstrates that even though the draft Regulation is not presented as explicitly establishing property-like protections for personal data, these three features—default entitlements, burdens that run with the data, and property-rule-based remedies—are all present in the Regulation’s rights-and-remedies scheme. The Conclusion then explains the significance of this finding for broader debates about whether a human-rights-driven approach to privacy can be reconciled with treating personal data as property.
II. the draft regulation as a property regime
The EU draft Regulation,39 if adopted, would modify current European data protection law significantly.40 Most importantly, the legislation would establish new individual data privacy rights including a “[r]ight to be forgotten.”41These provisions are self-consciously framed as stemming from the human right to privacy enshrined in documents like the European Convention on Human Rights and the Charter of Fundamental Rights of the European Union.42 Viviane Reding, the Vice President of the European Commission, has explained that “[p]ersonal data protection is a fundamental right for all Europeans” and that the draft Regulation was crafted with this human-rights-oriented approach in mind.43
But despite the fact that the draft Regulation is grounded in human rights rhetoric and employs no property terminology, its protections nonetheless function remarkably like the regulated property schemes described in the last Part. While the right to be forgotten and the Regulation’s other consumer-protection rights are not themselves “property rights” enforceable against third parties, they stand for a set of interests in, and burdens placed on, consumer data that can be best understood in property terms. The remainder of this Part demonstrates how the draft Regulation creates a scheme that adopts three of the principal features of propertized personal information described by Schwartz and others: (1) default data subject entitlements that are only partially alienable; (2) burdens that run with the asset and bind third parties; and (3) property-rule-based remedies.
A. Data Subjects Maintain Default Entitlements to Their Own Personal Information that Are Only Partially Alienable
The various requirements imposed on data users by the draft Regulation are all predicated on the notion that the data subject maintains the default entitlement to her personal information. Article 6 outlines a limited set of circumstances in which the collection and processing of data is lawful, the clearest of which is explicit “consent” by the data subject. Under this framework, a data subject must explicitly opt in to granting a data user access to her information in order for future processing to be lawful.44
Article 6 also lists specific (though seemingly rare) circumstances where no explicit consent has been proffered but the data user has some obligation that necessitates the data processing. For example, if “processing is necessary for the performance of a contract to which the data subject is party,” it is lawful even without the explicit consent of the data subject.45 However, even in these special situations where the data subject has not explicitly consented to processing, she must still be explicitly informed that her data has been collected and that she maintains the prerogative to end any data processing by requesting that her data be erased from the databases in which it is currently being held.46
The data subject may exercise a right of exit—namely, her “right to erasure” (or “right to be forgotten”)—at any time, with restrictions based on the original grounds under which the data was collected. For example, if the data processing was originally lawful only because the data subject had expressly consented—the most likely scenario—the data subject may withdraw that consent and demand erasure at any time.47 But if the processing was based on one of the circumstances in which explicit consent is not necessary (for example, the “processing is necessary for the performance of a task carried out in the public interest”48), the data subject may still object to the processing.49 Unless the data user can demonstrate “compelling legitimate grounds for the processing,” the data user must also erase this data.50
In this respect, the draft Regulation is predicated on the assumption that although data is a kind of commodity capable of changing hands, the data subject always retains the ultimate entitlement to this property. A data user may essentially receive a “license” to use the subject’s data,51 since the data subject has temporarily waived her right to exclude it from using her information. But the data subject maintains the discretion to terminate this license and force the data user to cease storing or using her information.
The draft Regulation arguably goes a step beyond most real and intellectual property schemes in that it establishes that individuals always maintain the ultimate entitlement to their own personal data and may not forfeit their rights through contract. Like in Schwartz’s proposed model, individuals may never completely sell or forfeit their right to block use of their personal information.52 In this respect, the draft Regulation’s scheme is similar to a more unusual area of intellectual property: the moral rights of artists, which grant an artist a proprietary interest in his own work, even after it has been sold, that prevents others from altering or destroying the work.53 In France, an artist may never contract away this right.54
B. Data Subjects’ Rights Create Burdens that “Run with” the Data
The draft Regulation establishes that the data subject’s proprietary interest in her own data—her original entitlement to that information and right to reclaim it from the control of others—creates a burden that runs with the data and binds third parties. In other words, the data subject maintains a right to demand that her data be erased, not only by the original data user with whom she dealt, but also from the databases of any other entities that may have gained access to the data. The draft Regulation states that any data user must “take all reasonable steps . . . to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data.”55 These third-party data users would be bound to respect the data subject’s exercise of her right to be forgotten or risk incurring sanctions under the Regulation.
This requirement is one of the most property-like features of the new regime in that it creates a burden that “runs with” the data subject’s information. Rather than conceiving of privacy protection as purely in personam, the draft Regulation instead grounds these rights in the data itself. Like in Schwartz’s model, then, the data subject’s interest is “built in” to the data,56 functioning like a kind of negative covenant.57 Any data users that gain access to the data subject’s information, irrespective of whether they are in privity with the data subject, must still respect what Schwartz might call the “use-transferability” restrictions58 built into the data that give the original data user the discretion to terminate processing.
C. Data Subjects Can Seek Property-Rule-Based Remedies
The remedy system established by the draft Regulation also mirrors the scheme often used to protect property interests. As discussed in Part I, an interest is protected by a “property rule” if it is protected from an unwanted taking by another party, under the assumption that property can only legitimately change hands based on the true consent of the original owner.59 Courts and legislatures often (though not always) protect such interests using remedies designed to restore the true owner’s entitlement (injunctions)60 or to deter parties from violating the entitlement to begin with (fines or punitive damages).61
The draft Regulation provides several avenues for a data subject to enjoin a data user to erase her data, in essence enforcing the data subject’s entitlement by “returning” the information to her exclusive ownership. Individuals may “lodge a complaint” against data users through their local “supervisory authority”—the regulatory bodies charged with enforcing compliance with the Regulation62—which have the power “to order the rectification, erasure or destruction” of data.63 Additionally, a data subject may bring a direct action against a data user in local courts, which are also empowered to enforce the provisions of the Regulation using injunctions.64Finally, a data user that “intentionally or negligently” fails to respond to a data subject’s attempt to exercise her right to be forgotten may be subject to extremely high fines: “500,000 [euro], or in case of an enterprise up to 1% of its annual worldwide turnover.”65
Conclusion
Though the EU’s draft Regulation is framed as stemming from the human right to privacy enshrined in European public law,66 this Comment has argued that it also, implicitly, treats personal data as a commodity capable of changing hands. While the Regulation forbids free marketization of data, it nonetheless uses property-derived rights and remedies—similar to those identified by Paul Schwartz and other scholars—to protect personal privacy in the course of data processing. By creating default data subject entitlements to data, a quasi-licensing scheme for data users who seek to use this data, use-transfer restrictions that “run with” the data, and property-rule-based remedies, the draft Regulation would dramatically overhaul the current system of primarily liability-oriented protections.
The fact that a regime might utilize some property-derived rights and remedies in service of human-rights goals may seem incongruous, considering that we often treat propertization as anathema to human-rights interests.67 But the draft Regulation model demonstrates that a regulated property regime—in which some but not all of the property-rights “sticks” are granted to consumers—might, in fact, be able to accommodate the same normative impulse that drives some to conceive of data privacy as a fundamental human right: the notion that uninhibited exchanges of personal data corrode human dignity and personhood.68 The draft Regulation is predicated on the assumption that we live in a world in which personal data has been and will be treated like a commodity and simply banning exchanges of personal data is not a viable option; instead, regulating these exchanges and providing consumers with additional agency, using property-derived rights and remedies,69 offers the best hope of protecting the dignitary, human-rights-driven privacy interests at stake.70 This reflects the assumption that “property is an artifact, a human creation that can be, and has been, modified in accordance with human needs and values”71 that also underlies the propertized data model proposed by Schwartz.
In this respect, the European Commission’s apparent willingness to implicitly use property-derived rights and remedies in the service of data privacy protection demonstrates that, notwithstanding claims that this approach has “passed its peak,”72 the prospect of crafting a regulated property regime to protect data privacy still has the potential to inform other data privacy law reform efforts in years to come.
jacob m. victor*
Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, COM (2012) 11 final (Jan. 25, 2012), http://www.europarl.europa.eu/registre/docs _autres_institutions/commission_europeenne/com/2012/0011/COM_COM%282012%290011_EN.pdf [hereinafter Draft Data Protection Regulation]. The draft Regulation seems to be primarily designed to regulate data processing by private entities. While some agencies of EU member-states may also be bound by the Regulation, the majority would fall outside its purview. See id. art. 2(2) (listing, inter alia, “Union institutions, bodies, offices and agencies” and authorities devoted to the “prevention, investigation, detection or prosecution of criminal offences” as entities that are not bound by the Regulation).
The draft Regulation distinguishes between data “controllers,” which own and maintain databases, and data “processors,” which process data on behalf of data controllers. Id. art. 4(5)-(6). Because most of the Regulation’s principles apply to both types of entities, I have adopted the neutral term “data user.”
The draft Regulation defines a data subject as
an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Id. art. 4(1).
Since January 2012, several European Union institutions have proposed amendments to the draft Regulation. For example, the Council of the European Union, a legislative body of ministers of EU member-states, proposed its own version in May 2013. A special committee is also examining various amended versions of the draft Regulation and preparing a text for consideration by the European Parliament. Once this version is approved, the European Parliament and Council of the European Union will enter into negotiations over the compromise version and likely vote on a final version in the next few months. Hunton & Williams LLP, Council of the European Union Releases Draft Compromise Text on the Proposed EU Data Protection Regulation, Privacy & Info. Security L. Blog (June 4, 2013), http://www.huntonprivacyblog.com/2013/06/articles/council-of-the-european-union -releases-draft-compromise-text-on-the-proposed-eu-data-protection-regulation. While some of the newly proposed versions of the draft Regulation significantly amend the original draft, the provisions of greatest significance to this Comment appear to be mostly unaffected. See, e.g., Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation)—Key Issues of Chapters I-IV, Council Eur. Union (May 31, 2013), http://register.consilium.europa.eu/pdf/en/13 /st10/st10227-ad01.en13.pdf (the Council of the European Union’s amended version). Because the final version of the Regulation remains in flux, this Comment focuses only on the text of the original 2012 European Commission draft. See Draft Data Protection Regulation, supra note 1. However, it is important to note that the final version of the Regulation may temper some of the 2012 draft’s more controversial proposals.
See Remarks by U.S. Ambassador to the EU, William E. Kennard, at Forum Europe’s 3rd Annual European Data Protection and Privacy Conference, U.S. Mission to Eur. Union (Dec. 4, 2012), http://useu.usmission.gov/kennard_120412.html (arguing that the draft Regulation could hinder law enforcement cooperation).
See Peter Druschel et al., The Right to Be Forgotten–Between Expectations and Practice, Eur. Network & Info. Security Agency (Nov. 20, 2012), http://www.enisa.europa.eu /activities/identity-and-trust/library/deliverables/the-right-to-be-forgotten/at_download /fullReport (highlighting challenges to implementing the draft Regulation under the existing technical structure of the Internet).
See Paul M. Schwartz, The EU-U.S. Privacy Collision: A Turn to Institutions and Procedures, 126 Harv. L. Rev. 1966, 1968-2001 (2013) (outlining the development of the EU-U.S. status quo on data privacy policy). Schwartz argues that “[t]he Proposed Regulation carries a potential for destabilization of the current status quo.” Id. at 1994.
Vera Bergelson, It’s Personal but Is It Mine? Toward Property Rights in Personal Information, 37 U.C. Davis L. Rev. 379, 403-04 (2003) (describing how U.S. law does not grant individuals property rights in their personal information); see also Nadezhda Purtova, Property Rights in Personal Data: A European Perspective 153-220 (2012) (surveying European data protection law and contrasting it with a hypothetical property-based regime).
Under the famous framework developed by Guido Calabresi and Douglas Melamed, an entitlement is protected by a “liability rule” when a defendant may violate it in exchange for paying damages. Guido Calabresi & A. Douglas Melamed, Property Rules, Liability Rules, and Inalienability: One View of the Cathedral, 85 Harv. L. Rev. 1089, 1092 (1972). For a discussion of the differences between property rules and liability rules in the context of data protection, see infra notes 37-38 and accompanying text.
In practice, courts have generally been unwilling to award damages to consumers for breach of contract when a corporation has violated its data privacy policy. See, e.g., In re JetBlue Airways Corp. Privacy Litig., 379 F. Supp. 2d 299, 326-27 (E.D.N.Y. 2005) (holding, inter alia, that plaintiffs in a class action against JetBlue for breach of its privacy policy were ineligible to recover damages because “the only damage that can be read into the present complaint is a loss of privacy,” which is “not a damage available in a breach of contract action”). Courts have similarly been unwilling to apply the “privacy torts,” Restatement (Second) of Torts §§ 652B-652E (1977), to violations of privacy in data collection and processing. For a survey of such cases, see Purtova, supra note 14, at 99-106.
See, e.g., Video Privacy Protection Act of 1988, Pub. L. No. 100-618, 102 Stat. 3195 (codified at 18 U.S.C. § 2710 (2012)) (establishing a private cause of action against video rental companies that disclose consumer information). For a survey of these statutes, see Daniel J. Solove & Paul M. Schwartz, Information Privacy Law 839-79 (4th ed. 2011); and Edward J. Janger, Privacy Property, Information Costs, and the Anticommons, 54 Hastings L.J. 899, 904-08 (2003).
See Directive 95/46/EC of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281) 31 (mandating that corporations provide certain protections to data subjects during data collection and processing). Data subjects may seek damages from corporations that violate the Directive. Id. art. 22, 23(1).
See Jessica Litman, Information Privacy/Information Property, 52 Stan. L. Rev. 1283, 1284 (2000) (“Non-cash purchases are memorialized and toted up. Large cash purchases are memorialized and turned in. Cash withdrawals and deposits are recorded and saved. Visits to the doctor, diagnoses, prescriptions, and referrals are coded and passed along. Everything we look at on the Internet is noted and retained. All of this information is collected, aggregated, and stored on computers. Anyone with reason to do so can correlate the information stored on one computer with the information stored on another, and another, and another. The resulting dossier may be used, sold, published, or correlated with other sources of data. In the United States, that’s completely legal.” (footnotes omitted)); Schwartz, supra note 13, at 2069-72 (describing how personal information is “commodified and traded” in various contexts).
See, e.g., In re Nw. Airlines Privacy Litig., No. Civ. 04-126, 2004 WL 1278459, at *4 (D. Minn. June 6, 2004) (stating that when passengers voluntarily gave Northwest Airlines their personal information and Northwest Airlines compiled that information into a data record, the record “itself became Northwest’s property”); U.S. News & World Report, Inc. v. Avrahami, No. 95-1318, 1996 WL 1065557, at *6 (Va. Cir. Ct. June 13, 1996) (holding that the sale of a magazine mailing list did not constitute conversion because the plaintiff did not maintain a proprietary interest in his name, whereas U.S. News & World Report did maintain a proprietary interest in its collection of names).
See Lawrence Lessig, Code and Other Laws of Cyberspace 122-35, 159-63 (1999); Lawrence Lessig, TheArchitecture of Privacy, 1 Vand. J. Ent. L. & Prac. 56, 63-64 (1999) (“If the law gave individuals the rights to control their data, or more precisely, if those who wanted to use that data had first to secure the right to use it, then a negotiation would occur over whether, and how much, data should be used. The market could negotiate these rights, if a market in these rights could be constructed.”); Lawrence Lessig, Privacy as Property, 69 Soc. Res. 247, 261 (2002).
See Neil Weinstock Netanel, Cyberspace Self-Governance: A Skeptical View from Liberal Democratic Theory, 88 Calif. L. Rev. 395, 476 (2000) (“[M]ost users are not even aware that the websites they visit collect user information, and even if they are cognizant of that possibility, they have little conception of how personal data might be processed.”).
Hansmann & Kraakman, supra note 26, at S378 (“[T]he attribute that distinguishes a property right from a contract right is that a property right is enforceable, not just against the original grantor of the right, but also against other persons to whom possession of the asset, or other rights in the asset, are subsequently transferred.”). Similar, though not identical, to this idea is the notion that “[p]roperty rights . . . are in rem—they bind ‘the rest of the world.’” Thomas W. Merrill & Henry E. Smith, TheProperty/Contract Interface, 101 Colum. L. Rev. 773, 777 (2001).
Id. at 2093; see also Bergelson, supra note 14, at 444-45 (arguing that, under a hypothetical data property regime, some rights to personal data could be declared inalienable even while others are freely marketable); Janger, supra note 17, at 903 (recognizing that a “mandatory crystalline inalienability rule” could be included in a property regime). See generally Hansmann & Kraakman, supra note 26, at S411-12 (providing a general critique of the notion that property rights are synonymous with alienability); Thomas W. Merrill, The Property Strategy, 160 U. Pa. L. Rev. 2061, 2079 (2012) (arguing that alienation is not “essential to the property strategy”).
Schwartz in fact outlines five features in a hypothetical data property regime: “inalienabilities, defaults, a right of exit, damages, and institutions,” Schwartz, supra note 13, at 2094, but also recognizes that “[a] key element of this model is the employment of use-transferability restrictions in conjunction with an opt-in default,” id. (emphasis omitted), which are the two features most tied to the unique nature of property-based protection. For that reason, I focus mainly on these property-based protections, rather than on the other features of the proposed regime.
Janger, supra note 17, at 914; see also Bergelson, supra note 14, at 417 (“On a more abstract level, the choice between the tort regime and the property regime for the protection of personal information means the choice between property rules and liability rules as defined in the seminal article authored by Calabresi and Melamed.”). It is interesting to note that Schwartz self-consciously chooses to use compensatory damages as the main remedy in his model, in lieu of property-rule-based protections. Schwartz, supra note 13, at 2109 (“A state determination of damages through privacy legislation is preferable to the Calabresi-Melamed approach of enforcing the subjective valuations of private parties with injunctions.”). However, in keeping with this Comment’s goal of exploring the unique features that a property regime can bring to data protection, I choose to focus on Janger’s and Bergelson’s use of property-rule-based protections.
The new legislation is a “Regulation,” meaning it would be binding on all EU member-states as law and enforceable in any member-state court. In contrast, the EU’s current data protection Directive, supra note 18, must be implemented by member-states through domestic legislation. Jane Finlayson-Brown, How to Prepare for Proposed EU Data Protection Regulation, Computer Wkly., Mar. 2012, http://www.computerweekly.com/opinion /Proposed-EU-Data-Protection-Regulation-what-should-companies-be-thinking-about.
Q. and A. with Viviane Reding, N.Y. Times, Feb. 2, 2013, http://www.nytimes.com/2013/02 /03/business/q-and-a-with-viviane-reding.html. See generally Joel R. Reidenberg, E-Commerce and Trans-Atlantic Privacy, 38 Hous. L. Rev. 717, 730-32 (2001) (describing how the EU has generally “treat[ed] privacy as a political imperative anchored in fundamental human rights”).
See supra notes 34-35 and accompanying text. The data could be said to be partially protected by what Calabresi and Melamed call an “inalienability rule.” Calabresi & Melamed, supra note 15, at 1092-93 (“An entitlement is inalienable to the extent that its transfer is not permitted between a willing buyer and a willing seller. The state intervenes not only to determine who is initially entitled and to determine the compensation that must be paid if the entitlement is taken or destroyed, but also to forbid its sale under some or all circumstances.”).
The comparison with moral rights is also instructive here: to the extent an artist maintains a right that future purchasers not destroy or alter her work and “the artist can . . . enforce that right against subsequent third-party transferees of the painting,” she maintains “a property right in the painting.” Hansmann & Kraakman, supra note 26, at S379. We might understand the burden placed on future holders of the artwork as “a type of negative covenant held in gross (that is, personally) . . . that would let the artist prevent any subsequent owner of a work of art from altering it.” Id. at S377. So too here, a data subject’s right to demand erasure by any third parties that gain access to her personal information, irrespective of whether that party is in privity with the data subject, creates a kind of negative covenant on the data that binds third parties.
See supra notes 37-38 and accompanying text. Janger defines a property rule by distinguishing it from a liability rule:
Where an entitlement is protected by a liability rule, the defendant may choose to violate the right and pay damages. In other words, a non-consensual taking may precede negotiation over price. Propertization changes the order of this interaction. Either through criminal sanction, affirmative judicial order, or prohibitively high (and/or punitive) fines, a property rule makes a non-consensual taking infeasible.
Janger, supra note 17, at 914.
See, e.g., eBay Inc. v. MercExchange, L.L.C., 547 U.S. 388, 395 (2006) (Roberts, C.J., concurring) (“From at least the early 19th century, courts have granted injunctive relief upon a finding of infringement in the vast majority of patent cases. This ‘long tradition of equity practice’ is not surprising, given the difficulty of protecting a right to exclude through monetary remedies that allow an infringer to use an invention against the patentee’s wishes . . . .”).
For example, in a now-famous case, the Wisconsin Supreme Court affirmed an award of $100,000 in punitive damages to a victim of trespass, even though the actual damages were minimal, because “the individual and society have significant interests in deterring intentional trespass to land, regardless of the lack of measurable harm that results.” Jacque v. Steenberg Homes, Inc., 563 N.W.2d 154, 159 (Wis. 1997).
See Margaret Jane Radin, Incomplete Commodification in the Computerized World, in The Commodification of Information 3, 17 (Niva Elkin-Koren & Neil Weinstock Netanel eds., 2002) (“It makes a big difference whether privacy is thought of as a human right, attaching to persons by virtue of their personhood, or as a property right, something that can be owned and controlled by persons. . . . Human rights are presumptively market-inalienable, whereas property rights are presumptively market-alienable.”).
See id.; Marc Rotenberg, Fair Information Practices and the Architecture of Privacy (What Larry Doesn’t Get), 2001 Stan. Tech. L. Rev. 1, ¶ 93 (arguing that a “market-based model [of the right to privacy], which seeks to facilitate the transfer of control over privacy interests, is clearly at odds with th[e] tradition” of treating privacy as a personhood interest).
Notably, Radin’s skepticism of protecting privacy using a property regime is grounded in the assumption that under a propertized personal data regime “online commerce will be governed more and more by contracts between providers and users, and less by a priori (default) entitlement structures.” Radin, supra note 67, at 18 (footnote omitted). In contrast, default entitlement structures (and curtailed free marketability) are essential to the regime presented in the draft Regulation, which explains its greater compatibility with a human-rights approach.
* I am incredibly grateful to Professor Claire Priest for advising the project from which this Comment stems. I would also like to thank Professor Amy Kapczynski for her helpful comments on an earlier draft, Professor Oona Hathaway for introducing me to the draft Regulation, and Alex Metz and the editors of theYale Law Journal for their excellent suggestions and careful editing.